Logon Logoff Event: 4646

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

Logon Logoff » Logon Logoff Event: 4646

Event ID 4646 – IKE DoS-Prevention Mode Started

Event ID 4646
Category Logon/Logoff
Sub-Category Audit IPsec Main Mode
Description IKE DoS-prevention mode started

Events generated by the Autenticated Internet Protocol (AuthIP) and the Internet Key Exchange protocol (IKE) during Main Mode negotiations are audited by the codes which fall under Audit IPsec Main Mode subcategory.

Why does event ID 4646 need to be monitored?

  • This should be monitored for IPsec Main Mode troubleshooting
  • To check if Security ID is returned as %1

Pro Tip:

With in-depth reports, real-time alerts, and graphical displays, ADAudit Plus tracks IPsec negotiations and other related activities, thus helping you meet your security, operational, and compliance needs with absolute ease.

Event 4646 applies to the following operating systems:

  • Windows 10
  • Windows Server 2016